Paubox blog: HIPAA compliant email made easy

Sharing patient information with authorization

Written by Kirsten Peremore | November 04, 2023

A covered entity may disclose protected health information specified in an authorization, even if that information was generated after the permission was granted. However, the disclosure must strictly adhere to the terms and scope outlined in the authorization and comply with HIPAA.

 

What is valid authorization?

Authorization content and specificity: The authorization must be specific about the information being shared and for what purpose. It should specify the type of PHI, the purpose for which it is being disclosed, and with whom it will be shared. 

Authorization duration: If an individual gives consent, there's typically an expiration stated within the authorization form. Covered entities cannot share PHI after the authorization has expired unless a new authorization is obtained.

Consistency with authorization terms: Covered entities must strictly adhere to the terms and conditions outlined in the authorization. They cannot share more information than explicitly mentioned, and they should limit the disclosure to the agreed-upon purpose and recipients.

Information created after authorization: As mentioned earlier, if the authorization covers a specific category of information and new information within that category exists, it can generally be disclosed.

Revocation of authorization: Individuals have the right to revoke their permission at any time. The covered entity must cease further disclosures of PHI, and any information disclosed after revocation can lead to HIPAA violations.

 

Circumstances where PHI can be shared with authorization

  • PHI can be shared when an individual gives clear permission for specific information to be disclosed.
  • PHI can be shared if an individual provides authorization specifically for research-related use.
  • Sharing PHI is allowed if an individual consents for their information to be used for marketing or fundraising purposes.
  • PHI can be shared when required by law, court order, or governmental request.
  • If a parent or guardian provides consent, certain healthcare information about a minor can be shared.
  • When an existing authorization covers a specific category of information created after the authorization was signed, that information can be disclosed.
  • Sharing PHI is allowed if employees consent for their health information to be used in employer-sponsored health programs.
  • PHI can be shared if an individual authorizes disclosure to family members or close associates for healthcare-related needs.

 

Limitation of sharing PHI 

  1. Specific authorization requirement: PHI can only be shared within the boundaries specified in the individual's authorization. If the approval does not cover a specific disclosure, the covered entity cannot share that information.
  2. Authorization expiry and revocation: If the authorization has expired or if the individual has revoked it, the covered entity cannot continue to share the PHI.
  3. Minimum necessary standard: Covered entities are restricted to sharing only the minimum amount of PHI necessary to achieve the intended purpose specified in the authorization.
  4. Purpose limitation: Using the information for any other purposes beyond what was authorized is not allowed.
  5. Recipient verification: Covered entities must ensure that the recipient is authorized to receive the PHI and complies with HIPAA regulations.
  6. Secure transmission and storage: PHI must be transmitted and stored securely to prevent unauthorized access or breaches.
  7. De-identification techniques: Before sharing PHI, covered entities might de-identify information whenever possible to protect patient anonymity and privacy.